Details of VAR-201008-0278

ID

VAR-201008-0278

CVE

CVE-2010-2973

TITLE

iPhone and iPod touch Run on Apple iOS of IOSurface Vulnerable to integer overflow

Trust: 0.8

sources: JVNDB: JVNDB-2010-001949

DESCRIPTION

Integer overflow in IOSurface in Apple iOS before 4.0.2 on the iPhone and iPod touch, and before 3.2.2 on the iPad, allows local users to gain privileges via vectors involving IOSurface properties, as demonstrated by JailbreakMe. Successfully exploiting this issue can allow attackers to elevate privileges, leading to a complete compromise of the device. iOS versions 4.0.1 and prior are vulnerable. NOTE (August 12, 2010): This BID was previously titled 'Apple iOS Multiple Vulnerabilities' and included details about a remote code-execution vulnerability. Following further analysis, we determined that the remote code-execution issue was already documented in BID 42241 (FreeType Compact Font Format (CFF) Multiple Stack Based Buffer Overflow Vulnerabilities). ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Apple iOS Security Bypass and PDF File Processing Vulnerability SECUNIA ADVISORY ID: SA40807 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40807/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40807 RELEASE DATE: 2010-08-03 DISCUSS ADVISORY: http://secunia.com/advisories/40807/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40807/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40807 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people to compromise a user's system. 1) An error in the processing of PDF files can be exploited to execute arbitrary code e.g. when a user visits a specially crafted web page. 2) An unspecified error in the kernel can be exploited to gain escalated privileges. The vulnerabilities are reported in 4.0.1. Other versions may also be affected. NOTE: The vulnerabilities are currently exploited to jailbreak a vulnerable device. SOLUTION: Do not browse untrusted sites or follow links from untrusted sources. Do not open PDF files from untrusted sources. PROVIDED AND/OR DISCOVERED BY: comex, disclosed via jailbreakme.com OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2010-2973 // JVNDB: JVNDB-2010-001949 // BID: 42151 // VULHUB: VHN-45578 // PACKETSTORM: 92371

AFFECTED PRODUCTS

vendor:	apple	model:	iphone os	scope:	eq	version:	4.0	Trust: 1.6
vendor:	apple	model:	iphone os	scope:	eq	version:	4.0.1	Trust: 1.6
vendor:	apple	model:	ios	scope:	eq	version:	2.0 to 4.0.1 (iphone 3g after )	Trust: 0.8
vendor:	apple	model:	ios	scope:	eq	version:	2.1 to 4.0 (ipod touch (2nd generation) after )	Trust: 0.8
vendor:	apple	model:	ios	scope:	eq	version:	3.2 and 3.2.1 (ipad for )	Trust: 0.8
vendor:	apple	model:	ipad	scope:	-	version:	-	Trust: 0.8
vendor:	apple	model:	ipod touch	scope:	-	version:	-	Trust: 0.8
vendor:	suse	model:	linux enterprise server sp2	scope:	eq	version:	10	Trust: 0.3
vendor:	gentoo	model:	linux	scope:	-	version:	-	Trust: 0.3
vendor:	apple	model:	ipod touch	scope:	eq	version:	3.1.3	Trust: 0.3
vendor:	apple	model:	ipod touch	scope:	eq	version:	3.1.2	Trust: 0.3
vendor:	apple	model:	ipod touch	scope:	eq	version:	3.1.1	Trust: 0.3
vendor:	apple	model:	ipod touch	scope:	eq	version:	3.0	Trust: 0.3
vendor:	apple	model:	iphone	scope:	eq	version:	3.1.3	Trust: 0.3
vendor:	apple	model:	iphone	scope:	eq	version:	3.1.2	Trust: 0.3
vendor:	apple	model:	iphone	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	apple	model:	iphone	scope:	eq	version:	3.1	Trust: 0.3
vendor:	apple	model:	iphone	scope:	eq	version:	3.0	Trust: 0.3
vendor:	apple	model:	ipad	scope:	eq	version:	3.2.1	Trust: 0.3
vendor:	apple	model:	ipad	scope:	eq	version:	3.2	Trust: 0.3
vendor:	apple	model:	ipad	scope:	eq	version:	0	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	ne	version:	4.0.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	ne	version:	3.2.2	Trust: 0.3

sources: BID: 42151 // JVNDB: JVNDB-2010-001949 // CNNVD: CNNVD-201008-051 // NVD: CVE-2010-2973

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2010-2973
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2010-2973
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201008-051
value:	HIGH
Trust: 0.6
VULHUB:	VHN-45578
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2010-2973
severity:	MEDIUM
baseScore:	6.9
vectorString:	AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.4
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-45578
severity:	MEDIUM
baseScore:	6.9
vectorString:	AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.4
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-45578 // JVNDB: JVNDB-2010-001949 // CNNVD: CNNVD-201008-051 // NVD: CVE-2010-2973

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-45578 // JVNDB: JVNDB-2010-001949 // NVD: CVE-2010-2973

THREAT TYPE

local

Trust: 0.9

sources: BID: 42151 // CNNVD: CNNVD-201008-051

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201008-051

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-001949

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-45578

PATCH

title:	HT4292	url:	http://support.apple.com/kb/HT4292	Trust: 0.8
title:	HT4291	url:	http://support.apple.com/kb/HT4291	Trust: 0.8
title:	HT4291	url:	http://support.apple.com/kb/HT4291?viewlocale=ja_JP	Trust: 0.8
title:	HT4292	url:	http://support.apple.com/kb/HT4292?viewlocale=ja_JP	Trust: 0.8
title:	Apple iOS IOSurface Fixes for integer overflow vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=203165	Trust: 0.6

sources: JVNDB: JVNDB-2010-001949 // CNNVD: CNNVD-201008-051

EXTERNAL IDS

db:	NVD	id:	CVE-2010-2973	Trust: 2.8
db:	BID	id:	42151	Trust: 2.8
db:	SECUNIA	id:	40807	Trust: 2.6
db:	OSVDB	id:	66827	Trust: 2.5
db:	EXPLOIT-DB	id:	14538	Trust: 1.7
db:	JVNDB	id:	JVNDB-2010-001949	Trust: 0.8
db:	CNNVD	id:	CNNVD-201008-051	Trust: 0.7
db:	VULHUB	id:	VHN-45578	Trust: 0.1
db:	PACKETSTORM	id:	92371	Trust: 0.1

sources: VULHUB: VHN-45578 // BID: 42151 // JVNDB: JVNDB-2010-001949 // PACKETSTORM: 92371 // CNNVD: CNNVD-201008-051 // NVD: CVE-2010-2973

REFERENCES

url:	http://www.securityfocus.com/bid/42151	Trust: 2.5
url:	http://osvdb.org/66827	Trust: 2.5
url:	http://secunia.com/advisories/40807	Trust: 2.5
url:	http://lists.apple.com/archives/security-announce/2010//aug/msg00000.html	Trust: 1.7
url:	http://lists.apple.com/archives/security-announce/2010//aug/msg00001.html	Trust: 1.7
url:	http://support.apple.com/kb/ht4291	Trust: 1.7
url:	http://support.apple.com/kb/ht4292	Trust: 1.7
url:	http://www.exploit-db.com/exploits/14538	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2973	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-2973	Trust: 0.8
url:	http://www.apple.com/iphone/softwareupdate/	Trust: 0.3
url:	http://www.apple.com/iphone/	Trust: 0.3
url:	http://www.apple.com/ipodtouch/	Trust: 0.3
url:	http://twitter.com/comex/status/20918593762	Trust: 0.3
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=40807	Trust: 0.1
url:	http://secunia.com/products/corporate/evm/	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/	Trust: 0.1
url:	http://secunia.com/advisories/40807/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/personal/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/gfx/pdf/secunia_half_year_report_2010.pdf	Trust: 0.1
url:	http://secunia.com/advisories/40807/#comments	Trust: 0.1

sources: VULHUB: VHN-45578 // BID: 42151 // JVNDB: JVNDB-2010-001949 // PACKETSTORM: 92371 // CNNVD: CNNVD-201008-051 // NVD: CVE-2010-2973

CREDITS

comex

Trust: 0.3

sources: BID: 42151

SOURCES

db:	VULHUB	id:	VHN-45578
db:	BID	id:	42151
db:	JVNDB	id:	JVNDB-2010-001949
db:	PACKETSTORM	id:	92371
db:	CNNVD	id:	CNNVD-201008-051
db:	NVD	id:	CVE-2010-2973

LAST UPDATE DATE

2024-11-23T21:14:02.029000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-45578	date:	2010-08-18T00:00:00
db:	BID	id:	42151	date:	2015-04-13T22:11:00
db:	JVNDB	id:	JVNDB-2010-001949	date:	2010-09-06T00:00:00
db:	CNNVD	id:	CNNVD-201008-051	date:	2022-08-10T00:00:00
db:	NVD	id:	CVE-2010-2973	date:	2024-11-21T01:17:45.813

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-45578	date:	2010-08-05T00:00:00
db:	BID	id:	42151	date:	2010-08-02T00:00:00
db:	JVNDB	id:	JVNDB-2010-001949	date:	2010-09-06T00:00:00
db:	PACKETSTORM	id:	92371	date:	2010-08-05T13:57:00
db:	CNNVD	id:	CNNVD-201008-051	date:	2010-08-12T00:00:00
db:	NVD	id:	CVE-2010-2973	date:	2010-08-05T18:17:58.197